From f39fa2fee948590ac4c895c1339f41eac9ebd575 Mon Sep 17 00:00:00 2001
From: George Hartzell <hartzell@alerce.com>
Date: Thu, 21 Sep 2017 06:22:09 -0700
Subject: Use trusted/historic site for texlive installer (#5347)

* Make texlive untrusted

TeXLive updates their installer without changing its name.  We've been
playing keep-up with them, but I'm proposing it's not worth it.

I seem to end up installing it '--no-checksum' anyway.

This commit updates the package to make that approach official,
removing the checksum, adding a note to the description and a bigger
note/comment inthe package body.

* Pull installer from stable source (packages are still *live*)

This pulls the installer script from the "historic" repository.  It
appears to be stable, so that we can use a checksum with it (one
hopes, time will tell).

The installer still pulls the packages from the live repos so
installations aren't reproducible.
---
 var/spack/repos/builtin/packages/texlive/package.py | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'var')

diff --git a/var/spack/repos/builtin/packages/texlive/package.py b/var/spack/repos/builtin/packages/texlive/package.py
index 33ff76f6a8..85f8d904de 100644
--- a/var/spack/repos/builtin/packages/texlive/package.py
+++ b/var/spack/repos/builtin/packages/texlive/package.py
@@ -28,21 +28,24 @@ import os
 
 class Texlive(Package):
     """TeX Live is a free software distribution for the TeX typesetting
-       system"""
+       system.  Heads up, it's is not a reproducible installation."""
 
     homepage = "http://www.tug.org/texlive"
 
-    # Pull from specific site because the texlive mirrors do not all
-    # update in synchrony.
+    # Install from specific site because the texlive mirrors do not
+    # all update in synchrony.
     #
     # BEWARE: TexLive updates their installs frequently (probably why
     # they call it *Live*...).  There is no good way to provide a
-    # repeatable install of the package.  We try to keep up with the
-    # digest values, but don't be surprised if this package is
-    # briefly unbuildable.
+    # repeatable install of the package.
     #
-    version('live', '8925a175d2b69f5328003893b284a008',
-            url="http://ctan.math.utah.edu/ctan/tex-archive/systems/texlive/tlnet/install-tl-unx.tar.gz")
+    # We're now pulling the installation bits from tug.org's repo of
+    # historic bits.  This means that the checksum for the installer
+    # itself is stable.  Don't let that fool you though, it's still
+    # installing TeX **LIVE** from e.g. ctan.math.... below, which is
+    # not reproducible.
+    version('live', '8f8fc301514c08a89a2e97197369c648',
+            url='ftp://tug.org/historic/systems/texlive/2017/install-tl-unx.tar.gz')
 
     # There does not seem to be a complete list of schemes.
     # Examples include:
-- 
cgit v1.2.3-70-g09d2